Oracle SQL Injection

[Mark Keegan <mark.keegan () paradise net nz>]

Hi Group, I am performing my first web assessment on a web application with
an Oracle backend.  Now I need to say that my background is solidly in the
MS space and Oracle is a new beast to me.  I have discovered that the
application is open to SQL injection and while I can perform the typical
UNION queries to harvest information from other tables I am failing to
execute other statements such as INSERT, DELETES or DROPs.  In MSSQL I can
use a Semicolon ; to append these types of statements as follows:
 
;UPDATE sometable SET column x = 'blah'--
 
It appears that Oracle does not like this type of syntax where we are
appending an UPDATE onto an existing SELECT statement.  Could someone please
point me in the right direction on how to execute these type of commands.  
 
I should also say that the application appears to be replacing a semicolon
with a coma.
 
Many Thanks
Mark
 
 



-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------